From: reyk <reyk@openbsd.org>
Date: Thu, 22 Jan 2015 09:26:05 +0000 (+0000)
Subject: LibreSSL now supports loading of CA certificates from memory, replace
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1afa0f7ffb5460245a1d84a525e31887165ec859;p=openbsd

LibreSSL now supports loading of CA certificates from memory, replace
the internal and long-serving ssl_ctx_load_verify_memory() function
with a call to the SSL_CTX_load_verify_mem() API function.  The
ssl_privsep.c file with hacks for using OpenSSL in privsep'ed
processes can now go away; portable versions of smtpd and relayd
should start depending on LibreSSL or they have to carry ssl_privsep.c
in openbsd-compat to work with legacy OpenSSL.  No functional change.

Based on previous discussions with gilles@ bluhm@ and many others
OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
---

diff --git a/usr.sbin/relayd/Makefile b/usr.sbin/relayd/Makefile
index e573d9acfd5..066acfa72f9 100644
--- a/usr.sbin/relayd/Makefile
+++ b/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.27 2014/04/21 14:57:17 reyk Exp $
+#	$OpenBSD: Makefile,v 1.28 2015/01/22 09:26:05 reyk Exp $
 
 PROG=		relayd
 SRCS=		parse.y
@@ -6,7 +6,7 @@ SRCS+=		agentx.c ca.c carp.c check_icmp.c check_script.c \
 		check_tcp.c config.c control.c hce.c log.c name2id.c \
 		pfe.c pfe_filter.c pfe_route.c proc.c \
 		relay.c relay_http.c relay_udp.c relayd.c \
-		shuffle.c snmp.c ssl.c ssl_privsep.c
+		shuffle.c snmp.c ssl.c
 MAN=		relayd.8 relayd.conf.5
 
 LDADD=		-levent -lssl -lcrypto -lutil
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 091db106075..f69a91228db 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay.c,v 1.187 2015/01/16 15:08:52 reyk Exp $	*/
+/*	$OpenBSD: relay.c,v 1.188 2015/01/22 09:26:05 reyk Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2051,7 +2051,7 @@ relay_tls_ctx_create(struct relay *rlay)
 	/* Verify the server certificate if we have a CA chain */
 	if ((rlay->rl_conf.flags & F_TLSCLIENT) &&
 	    (rlay->rl_tls_ca != NULL)) {
-		if (!ssl_ctx_load_verify_memory(ctx,
+		if (!SSL_CTX_load_verify_mem(ctx,
 		    rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len))
 			goto err;
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index e67ca49a5e3..e78ecc674fa 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.205 2015/01/16 15:08:52 reyk Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.206 2015/01/22 09:26:05 reyk Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -1220,9 +1220,6 @@ int	 ssl_load_pkey(const void *, size_t, char *, off_t,
 int	 ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
 	    char *, off_t, X509 **, EVP_PKEY **);
 
-/* ssl_privsep.c */
-int	 ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-
 /* ca.c */
 pid_t	 ca(struct privsep *, struct privsep_proc *);
 void	 ca_engine_init(struct relayd *);
diff --git a/usr.sbin/relayd/ssl_privsep.c b/usr.sbin/relayd/ssl_privsep.c
deleted file mode 100644
index b90d5960b11..00000000000
--- a/usr.sbin/relayd/ssl_privsep.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*      $OpenBSD: ssl_privsep.c,v 1.11 2015/01/16 15:08:52 reyk Exp $    */
-
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/*
- * SSL operations needed when running in a privilege separated environment.
- * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
- */
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <unistd.h>
-#include <stdio.h>
-
-#include <openssl/err.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-
-int	 ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-int	 ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
-
-X509_LOOKUP_METHOD x509_mem_lookup = {
-	"Load cert from memory",
-	NULL,			/* new */
-	NULL,			/* free */
-	NULL,			/* init */
-	NULL,			/* shutdown */
-	ssl_by_mem_ctrl,	/* ctrl */
-	NULL,			/* get_by_subject */
-	NULL,			/* get_by_issuer_serial */
-	NULL,			/* get_by_fingerprint */
-	NULL,			/* get_by_alias */
-};
-
-#define X509_L_ADD_MEM	3
-
-int
-ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len)
-{
-	X509_LOOKUP		*lu;
-	struct iovec		 iov;
-
-	if ((lu = X509_STORE_add_lookup(ctx->cert_store,
-	    &x509_mem_lookup)) == NULL)
-		return (0);
-
-	iov.iov_base = buf;
-	iov.iov_len = len;
-
-	if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM,
-	    (const char *)&iov, X509_FILETYPE_PEM, NULL))
-		return (0);
-
-	return (1);
-}
-
-int
-ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf,
-    long type, char **ret)
-{
-	STACK_OF(X509_INFO)	*inf;
-	const struct iovec	*iov;
-	X509_INFO		*itmp;
-	BIO			*in = NULL;
-	int			 i, count = 0;
-
-	iov = (const struct iovec *)buf;
-
-	if (type != X509_FILETYPE_PEM)
-		goto done;
-
-	if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL)
-		goto done;
-
-	if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL)
-		goto done;
-
-	for (i = 0; i < sk_X509_INFO_num(inf); i++) {
-		itmp = sk_X509_INFO_value(inf, i);
-		if (itmp->x509) {
-			X509_STORE_add_cert(lu->store_ctx, itmp->x509);
-			count++;
-		}
-		if (itmp->crl) {
-			X509_STORE_add_crl(lu->store_ctx, itmp->crl);
-			count++;
-		}
-	}
-	sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
- done:
-	if (!count)
-		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
-
-	if (in != NULL)
-		BIO_free(in);
-	return (count);
-}
diff --git a/usr.sbin/smtpd/smtpd/Makefile b/usr.sbin/smtpd/smtpd/Makefile
index cf751b62868..5defaf6039b 100644
--- a/usr.sbin/smtpd/smtpd/Makefile
+++ b/usr.sbin/smtpd/smtpd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.77 2014/12/14 15:26:56 gilles Exp $
+#	$OpenBSD: Makefile,v 1.78 2015/01/22 09:26:05 reyk Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -10,7 +10,7 @@ SRCS=		aliases.c bounce.c ca.c compress_backend.c config.c		\
 		log.c mda.c mproc.c				\
 		mta.c mta_session.c parse.y pony.c queue.c queue_backend.c	\
 		ruleset.c runq.c scheduler.c scheduler_backend.c		\
-		smtp.c smtp_session.c smtpd.c ssl.c ssl_privsep.c		\
+		smtp.c smtp_session.c smtpd.c ssl.c				\
 		ssl_smtpd.c stat_backend.c table.c to.c tree.c util.c		\
 		waitq.c
 
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 28d4ed816a6..0bc82363f20 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.10 2015/01/16 15:08:52 reyk Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.11 2015/01/22 09:26:05 reyk Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -50,7 +50,6 @@ DH	       *get_dh1024(void);
 DH	       *get_dh_from_memory(char *, size_t);
 void		ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);
 void		ssl_set_ecdh_curve(SSL_CTX *, const char *);
-extern int	ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
 char	       *ssl_load_file(const char *, off_t *, mode_t);
 char	       *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);
 
@@ -67,5 +66,4 @@ int		ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
 		    char *, off_t, X509 **, EVP_PKEY **);
 
 /* ssl_privsep.c */
-int		ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
 int		ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/usr.sbin/smtpd/ssl_privsep.c b/usr.sbin/smtpd/ssl_privsep.c
deleted file mode 100644
index aa8c15d7210..00000000000
--- a/usr.sbin/smtpd/ssl_privsep.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/*      $OpenBSD: ssl_privsep.c,v 1.8 2015/01/16 15:08:52 reyk Exp $    */
-
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/*
- * SSL operations needed when running in a privilege separated environment.
- * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
- */
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <unistd.h>
-#include <stdio.h>
-
-#include <openssl/err.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-
-int	 ssl_ctx_use_private_key(SSL_CTX *, char *, off_t);
-int	 ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-int	 ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
-
-X509_LOOKUP_METHOD x509_mem_lookup = {
-	"Load cert from memory",
-	NULL,			/* new */
-	NULL,			/* free */
-	NULL,			/* init */
-	NULL,			/* shutdown */
-	ssl_by_mem_ctrl,	/* ctrl */
-	NULL,			/* get_by_subject */
-	NULL,			/* get_by_issuer_serial */
-	NULL,			/* get_by_fingerprint */
-	NULL,			/* get_by_alias */
-};
-
-#define X509_L_ADD_MEM	3
-
-int
-ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len)
-{
-	X509_LOOKUP		*lu;
-	struct iovec		 iov;
-
-	if ((lu = X509_STORE_add_lookup(ctx->cert_store,
-	    &x509_mem_lookup)) == NULL)
-		return (0);
-
-	iov.iov_base = buf;
-	iov.iov_len = len;
-
-	if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM,
-	    (const char *)&iov, X509_FILETYPE_PEM, NULL))
-		return (0);
-
-	return (1);
-}
-
-int
-ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf,
-    long type, char **ret)
-{
-	STACK_OF(X509_INFO)	*inf;
-	const struct iovec	*iov;
-	X509_INFO		*itmp;
-	BIO			*in = NULL;
-	int			 i, count = 0;
-
-	iov = (const struct iovec *)buf;
-
-	if (type != X509_FILETYPE_PEM)
-		goto done;
-
-	if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL)
-		goto done;
-
-	if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL)
-		goto done;
-
-	for (i = 0; i < sk_X509_INFO_num(inf); i++) {
-		itmp = sk_X509_INFO_value(inf, i);
-		if (itmp->x509) {
-			X509_STORE_add_cert(lu->store_ctx, itmp->x509);
-			count++;
-		}
-		if (itmp->crl) {
-			X509_STORE_add_crl(lu->store_ctx, itmp->crl);
-			count++;
-		}
-	}
-	sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
- done:
-	if (!count)
-		X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
-
-	if (in != NULL)
-		BIO_free(in);
-	return (count);
-}